Net boffins brew poison for BGP hijacks

The Border Gateway Protocol (BGP) is one of the Internet's basic pieces of plumbing technologies, but it's also so old it was designed before the security needs of a multi-billion-user network were understood.

In particular, BGP is notorious for allowing sysadmins to “black-hole” huge swathes of traffic either by fat-fingering route advertisements, or in some suspected cases, maliciously advertising routes that send commercial rivals' traffic into dead zones that kill the user experience.

Which is why a group of researchers from Europe and America reckon they've created a framework that would let service providers neutralize a BGP hijack in minutes.

The researchers, from The Center for Applied Internet Data Analysis (CAIDA), Greek research institute ICS-FORTH, and Telecom ParisTech, outlined their work at arXiv.

The group wrote that their mitigation approach, dubbed ARTEMIS (Automatic and Real-Time dEtection and MItigation System), was made possible by the emergence of public BGP monitoring services that offer real-time streaming.

Doing so, the authors believe, means operators using the BGP monitoring feeds can respond to a hijack without waiting for manual verification of alerts.

A network operator would configure ARTEMIS with information about its own AS (Autonomous System, a routing unit in BGP), and watch the external feeds for AS-PATH events that affect its network, meaning the system “can detect any class of hijacking event, and generate alerts”.

Alerts raised by ARTEMIS include outputs such as affected prefixes; the type of hijacking attempt; observed impact; the AS Numbers involved, and the detection confidence level.

While ARTEMIS doesn't eliminate a network operator's contact with other operators when a BGP event happens, they also often disaggregate the affected prefix as a response, and it's this step that the system automates.

As explanation of this technique, the paper states:

“For example, upon the detection of a hijack for the prefix 10.0.0.0/23, the network can perform prefix deaggregation and announce two more specific sub-prefixes: 10.0.0.0/24 and 10.0.1.0/24. These subprefixes will disseminate in the Internet and the polluted ASes will re-establish legitimate routes, since more-specific prefixes are preferred by BGP”.

BGP Multiple Origin AS (MOAS) announcements are another part of ARTEMIS's mitigation strategy. MOAS is the practice of outsourcing BGP announcements used in (for example) DDoS defence.

In that model, companies that mitigate attacks “redirect the traffic (using BGP/MOAS or DNS) to their locations and scrubbing centers, remove malicious traffic, and forward/relay the legitimate traffic to the victim”.

If ARTEMIS detects a BGP hijack, the system sends the alert to the mitigation organisation, which announces the location or routers whose prefix is hijacked; this means the mitigation company attracts traffic from the Internet so it can tunnel it back to the legitimate network.

In their experiments, the researchers wrote that ARTEMIS could detect hijacks in as little as five seconds, and “the vast majority of the ASes recover from the hijack within 60 seconds”. ®